Software engineering, reverse engineering, OS internals and stuff…

I suppose I’m just not good with this kind of things, e.g. maintaining a blog.

Anyways, this post is about something easy and fun. I was asked about a tiny hello-world mach-o and since it was actually at least a year from last time I’ve been playing with a mach-o file it felt like a very good excuse for playing with them once again.

First thing I did was to go over to www.osxbook.com. I was pretty sure Amit Singh would have wrote a tiny mach-o already, and that was the case.

Downloaded tiny.asm and started from this phrase “There are plenty of zeros lurking in there.”.

LC_SEGMENT segnames must be padded to 16 bytes, we can actually use that space for storing few opcodes (there must be at least a null termination after segname)

we can use registers from LC_UNIXTHREAD for storing initial values we might need in order to avoid using bigger opcodes

That’s all, and it gives us a 180 bytes valid/working hello-world mach-o, which is, pretty small.
I think it’s still possible to have even a smaller one, but it would probably be >=10.8 only.

;; yasm -f bin rev_mach-o.asm; it's tiny.asm from http://osxbook.com/blog/2009/03/15/crafting-a-tiny-mach-o-executable/; with very few modifications in order to have both a valid and working hello-world mach-o; ; http://twitter.com/__rev;

First article for the blog, let’s talk about something I had in mind for a while.
There has been a lot of talk about the introduced full ASLR on MacOS X Lion, so as soon as I had my hands on the OS I wanted to check which were the changes introduced.

Let’s start from the very beginning, Mach-O. In order to understand what are the differences introduced in Lion, we need to first give a look at a Mach-O built on two different OSes, we will take as a reference Snow Leopard. Let’s build this simple code for test:

12345

int main(){while(1){}return0;}

If we compile that code on Lion, no specific option passed to gcc, we will notice a difference from the very same code compiled on Snow Leopard. The difference is the presence of the flag MH_PIE (Position Independent):Continue reading →